A Trusted Information Sharing Project* Syracuse University Electrical Engineering & Computer Science Shiu-Kai Chin, Polar Humenn, Thumrongsak Kosiyatrakul, Susan Older Maxwell School of Citizenship and Public Affairs Terrell Northrup, Stuart Thorson _____________________________ *Partially sponsored by the CASE Center at Syracuse University – A Center for Advanced Technology in Information Technology sponsored by NYSTAR
28
Embed
A Trusted Information Sharing Project* - University at Buffalo · Electrical Engineering & Computer Science ... 1. Trusted Information Sharing Project ... understanding and ethics
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Shiu-Kai Chin, Polar Humenn, Thumrongsak Kosiyatrakul, Susan Older
Maxwell School of Citizenship and Public AffairsTerrell Northrup, Stuart Thorson
_____________________________*Partially sponsored by the CASE Center at Syracuse University – A Center for Advanced Technology in Information Technology sponsored by NYSTAR
2
Conclusions
• Sharing information in some cases is less about protocols and secure access control and more about establishing and maintaining trust between people and organizations
• Solutions rooted in engineering must be carefully integrated with solutions rooted in the social sciences
• Social science aspects predominate
3
Victims of Sexual Assault“I would say that victims choose not to report for many reasons. Some of the most common reasons expressed are concerns for their privacy, the desire to return to their normal lives as soon as possible, concerns that they will not be believed, that attempts at criminal prosecution will be futile, and that the criminal process will actually put the victim on trial, leading to re-victimization. Some victims also fear reprisal from the offender.”
Janet EpsteinAssociate Director
Syracuse University R.A.P.E. Center
4
Our Project• Produce a trusted system for sharing crime-related
information between between SU’s Dept. of Public Safety (DPS) and Syracuse Police Dept. (SPD)
• Focus on sexual-assault information reported by victims to SU’s R.A.P.E. (Rape: Advocacy, Prevention, and Education) Center
• Status: Prototype CORBA-based system demonstrated, paper-based protocol for victims in development– Those authorized can access, those without denied– All access requests audited
5
Long-Range Vision• Rigorously link concepts of trust in the social
sciences to concepts of trust in computer science & engineering– Trust is domain specific– System includes humans and computers– Complexity arises out of size, cultural differences,
unpredictability, and composition• Hypothesis: The ability to rigorously relate societal
notions of trust to engineering notions of trust enables policy makers, technologists, and citizens to better assess the trustworthiness of systems
• Starting point: relate computer science notions of rights and access to social-science notions of rights
6
An Interdisciplinary View• Basic research on trust:
– Philosophers: Annette Baier (delayed accounting), Thomas Scanlon (credible promises)
– Formal methods: embedding into HOL theorem prover existing access control calculi (Lampson, Abadi, Burrows, Wobber, Howell, Kotz) based on modal logic to reason about rights, privileges, delegation, roles, and policies
– Our extensions: incorporating RBAC and SARBAC (Scoped Administration of RBAC by Crampton) into the underlying Kripke model of principal calculus of Lampson, Abadi, et. al.
• Applied research on security standards:– Humenn: author of CORBA CSIv2 and ATLAS security
standards– Humenn: one author of OASIS XACML v1.1: evaluation of
credentials pertaining to access control• Experiments: Trusted Info Sharing Project
7
This Talk
• Describe the project and what we have learned so far
• Briefly describe the engineering aspects• Focus on underlying social-science
principles• Examine how the principles were
instantiated in the project• Observations and conclusions
8
1. Trusted Information Sharing Project
• Adapt the existing incident reporting system used by Syracuse University Department of Public Safety (DPS) to be electronically accessed by authorized personnel from the outside, such as the Syracuse City Police Department (SPD)
• Make this access adhere to security, and privacy laws/concerns, with a focus on sexual assault incidents
9
Principals
• SU R.A.P.E. (Rape: Advocacy, Prevention, and Education) Center– Information owners and victim advocates
• SU Department of Public Safety (DPS)– Interface between SU and police department
• Syracuse Police Department– Abused Persons Unit (APU)
• CASE Center: technologists• Maxwell School: social scientists
10
Lessons Learned: Needed are
Engineering• Precise descriptions of
scopes of authority, delegation, credentials, access-control decisions
• Common understanding of protocols
• Means for independent verification
Social Science• Extended empathy:
extension of person’s understanding and ethics to a new group
• Ecological validity: coverage of all cases encountered in “real life”
• Delayed accounting: postpone accounting to allow use of resources
• Credible promises
11
2. Engineering Details
• Policy written in XACML v 1.0
• Access control enforced by CORBA secure ORB CSIv2
• Secure sessions via Kerberos
SPDSPICEPS
Client
DPSAegis
Workstation
DPSAegis
Workstation
CORBACOASPIDS
SQL
DPS Intranet
Internet
DPSSPICEPS
Server
DPSSQL
Database
CORBACOASPIDS
XACMLAccess Control
Policy
SQL
KerberosServer
12
Data
• Data on incidents and people spread across several SQL DB tables
• Data modelled as COAS (Clinical Observation Access Service) observations and PIDS (Person IDentification Service) identities
• Interfaces consistent with COAS and PIDS
13
3. Social Science Principles Supporting Trust
• Extended empathy: people sometimes extend their understanding of motives and ethics to people they may not know
• Ecological validity: systems and protocols cover all “real life” cases
• Delayed accounting: resources used to further ends of principals rather than on verifying credibility
14
Promises, Scanlon• Principle M (no manipulation): not misleading
someone to do something they might not otherwise do
• Principle D (due care): not misleading someone to a false expectation about what you will or won’t do
• Principle L (loss prevention): if someone will suffer a significant loss if you don’t do something they expect you to do, then you must take reasonable steps to prevent that loss
• Principle F (fidelity): you will do what you say you will do, particularly when you have given assurances to this effect
These are paraphrases. Read the full text
These are paraphrases. Read the full text
15
4. Application of Principles• R.A.P.E. Center staff are trusted advocates for
victims. They must come to trust TISP in order for them to offer TISP as an option to victims
• Due diligence by Center staff has focused on being reasonably assured that Scanlon’s four principles are satisfied– Principle M: Getting victims to disclose – Principle D: Making sure Center staff are not legally
compelled to disclose by engaging in TISP– Principle L: Making sure victims’ identities are shielded– Principle F: Precisely and accurately understanding TISP
protocols, technology, limitations, and consequences
16
Extended Empathy
• Established by reaching a consensus as to why sharing sexual-assault information is a positive good– Assisting investigations, better understanding of
this type of crime leading to enhanced education, lessons learned can be applied to other information-sharing projects
• Initially feasible because DPS Chief Marlene Hall was trusted by all principals– She was able to articulate to each group the value
of the project and the shared motivations.
17
Ecological Validity• Established by Terrie Northrup acting as “interpreter”
between Lt. Becky Thompson of SPD’s APU, Janet Epstein Assoc Director or R.A.P.E. Center, & Dessa Bergen-Cico, Dean of Students
• Outcomes: precise understanding of R.A.P.E. Center protocols, information it gathers, and obligation to its clients
• Similar level of understanding of APU operations• Policy and legal issues affecting Center• Preliminary paper-based information sharing protocol
between DPS and Center
18
Delayed Accounting
• Illustrated by fact that CASE staff member Polar Humenn had complete access to DPS Aegis Public Safety System
• Initial lower trust level established by Hall & Chin vouching for their respective staff
• Built and maintained by Humenn and Adams of DPS over a series of technical meetings
19
5. Observations & Conclusions
• It may be possible to formalize some of Scanlon’s principles using modal logic
• There are limits to the assurances we can provide to victims
• It may be that developing trusted systems may require that a pre-existing climate of trust exist between subsets of people who will construct or vouch for the system
20
Conclusions
• Sharing information in some cases is less about protocols and secure access control and more about establishing and maintaining trust between people and organizations
• Solutions rooted in engineering must be carefully integrated with solutions rooted in the social sciences
• Social science aspects predominate
21
Backup Slides
22
Existing System• AEGISTM Incident Reporting System
– Frontend: • AEGISTM Client Software provides a GUI to entering and
examining incident data.– Backend:
• All AEGIS data is stored on a Microsoft SQL Server
• AEGISTM Software– AEGISTM software is client software that directly
manipulates database tables through SQL.• Exporting AEGISTM to SPD requires opening up
SQL to the open network is therefore, not sufficient for our security concerns.
23
Solution System Architecture• Wrap existing AEGISTM SQL database tables
– Use middle tier that provides guarded access to DPS information outside of DPS.
• Develop clients that access the information through the middle tier.
• Use industry standards (OMG, OASIS)– Clinical Observation Access Service (COAS)– Person Identification Service (PIDS)– Common Object Request Broker Architecture (CORBA)– Secure CORBA (CSIv2)– Kerberos– eXtensible Access Control Markup Language (XACML)
24
Information View• Incidents are modelled as COAS
“observations”.• A Subject of an Incident (Person) is modelled
as a PIDS “identity”.• A subject is uniquely tied to the incident in
which he/she appears because access policy must mitigate the release of people involved in certain incidents, such as rape..
• Access Policy is written to explicitly deny or filter out observations and traits of identities that are not allowed to be seen by a certain requester of the information.
25
Computational View• The COAS and PIDS integrated CORBA
interfaces follow the their respective data models.
• Kerberos provides authentication identifiers.• Use of CORBA interfaces allows easy
integration of CORBA security CSIv2 and GSS-Kerberos.
• XACML provides the vehicle to write access policy based on the requester's Kerberos identifiers and the data model.
26
Engineering View• Servers
– Hardware• Microsoft SQL Server holding AEGIS database.• Linux Debian PC as middle tier.
– Functionality• Modified COAS and PIDS from Los Alamos National
Laboratory's Telemed Project on the Linux PC
• Clients– Custom Java built GUI providing secure, authenticated access
to the COAS and PIDS interfaces
• Security– Adiron.com Secure ORB SL3 (Secure CORBA based
infrastructure) and XACML Access Decision Engine.– Kerberos (Standard MIT Kerberos Distribution)
27
Clinical Observation Access Service (COAS)
• The COAS standard is a CORBA interface description allowing the organization of information that is based on a data model of “observations”.
• This standard provides different interfaces for the access and management of observation data.
• Observations are related to people, which is defined by the Person Identification Service (PIDS).
• As all data is input by DPS officials using the AEGIS system, we merely use the “access”interfaces outside of DPS.
28
Person Identification Service• The Object Management Group (OMG) PIDS
standard is a CORBA interface for the organization identifying information about persons.
• This standard provides a set of interfaces for the access and management of identities, and their identifying “traits”.
• As all data is input by DPS officials using the AEGIS system, we merely use the “access”interfaces outside of DPS.